So I've been working on a particularly complicated and convoluted set of log files that require a bit of regex work to be done. weve gotten the field extraction page to grab the right fields, and even test the rex on the data set, first head 10000 and then no head at all, and it works fine. however once we save the extractions we get nothing, no fields ever show up, ever if we tell it to show fields with no related records. any idea what we are missing here?
Edit:__
all extractions are in the search app, but are given global permissions.
We have restarted or Splunk server several times, a few of the extractions from our transforms file show up but that's it.
As for our formatting the field extractor builds them and we will click the test button and it works just fine in the testing window, but it's exactly when we save it that it just disappears.
We just updated to Splunk ver6 are we missing some configurations?
Because of how detailed the fields are I was using multiple words to name them and was inadvertently adding spaces to my field names causing them to not work after saving them. Thanks Kristian!
Another possible solution (for someone else) is that the results selector right under the search (magnifying glass) is in 'Fast Mode'. This will turn off field discovery. If you want to get the most fields put it in 'Smart Mode' or 'Verbose Mode'
Because of how detailed the fields are I was using multiple words to name them and was inadvertently adding spaces to my field names causing them to not work after saving them. Thanks Kristian!
Wait a minute.. That makes me an idiot, ok editing my extractions now to kill all of those! Thanks for your help!
No hyphens in the field names, but some names do contain spaces.
Do you give the fields names with hyphens?
We have restarted or Splunk server several times, a few of the extractions from our transforms file show up but that's it.
As for our formatting the field extractor builds them and we will click the test button and it works just fine in the testing window, but it's exactly when we save it that it just disappears.
We just updated to Splunk ver6 are we missing some configurations?
You don't have any hyphens in the field names?
problem: my-new-field
will work: my_new_field
will work: myNewField
Post the configs also, so that you can get help with debugging. You should be aware that there will be slight differences in the regex, depending on whether you use it in a props.conf EXTRACT, or in a rex
statement in the search query. (mainly to handle escaping)
/k
Just try restarting splunk. I had it working so many times doing that.
yes they are, everything is inside the search app, and they all have global permissions.
are they saved in the same app you are using?